Movatterモバイル変換

[0]ホーム
URL:

US8639797B1 - Network monitoring of behavior probability density - Google Patents

Network monitoring of behavior probability densityDownload PDF

Info

Publication number
US8639797B1
US8639797B1US12/180,243US18024308AUS8639797B1US 8639797 B1US8639797 B1US 8639797B1US 18024308 AUS18024308 AUS 18024308AUS 8639797 B1US8639797 B1US 8639797B1
Authority
US
United States
Prior art keywords
activity
network
information regarding
recent
term
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US12/180,243
Inventor
Xiaohong Pan
Kishor Kakatkar
Derek Sanders
Rangaswamy Jagannathan
Jing Liu
Rosanna Lee
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Virtual Instruments Worldwide Inc
Original Assignee
Xangati Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US12/180,243priorityCriticalpatent/US8639797B1/en
Application filed by Xangati IncfiledCriticalXangati Inc
Assigned to XANGATI, INC.reassignmentXANGATI, INC.ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: JAGANNATHAN, RANGASWAMY, KAKATKAR, KISHOR, LEE, ROSANNA, LIU, JING, PAN, XIAOHONG, SANDERS, DEREK
Application grantedgrantedCritical
Publication of US8639797B1publicationCriticalpatent/US8639797B1/en
Assigned to WESTERN ALLIANCE BANKreassignmentWESTERN ALLIANCE BANKSECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: XANGATI, INC.
Assigned to TRIPLEPOINT VENTURE GROWTH BDC CORP.reassignmentTRIPLEPOINT VENTURE GROWTH BDC CORP.SECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: XANGATI, INC.
Assigned to VIRTUAL INSTRUMENTS WORLDWIDE, INCreassignmentVIRTUAL INSTRUMENTS WORLDWIDE, INCASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: XANGATI INC
Assigned to TRIPLEPOINT VENTURE GROWTH BDC CORP.reassignmentTRIPLEPOINT VENTURE GROWTH BDC CORP.SECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: VIRTUAL INSTRUMENTS CORPORATION, VIRTUAL INSTRUMENTS USA, INC., VIRTUAL INSTRUMENTS WORLDWIDE, INC., XANGATI, INC.
Assigned to WESTERN ALLIANCE BANKreassignmentWESTERN ALLIANCE BANKSECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: VIRTUAL INSTRUMENTS WORLDWIDE, INC.
Assigned to VIRTUAL INSTRUMENTS WORLDWIDE, INC.reassignmentVIRTUAL INSTRUMENTS WORLDWIDE, INC.RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS).Assignors: WESTERN ALLIANCE BANK
Assigned to XANGATI, INC.reassignmentXANGATI, INC.RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS).Assignors: WESTERN ALLIANCE BANK
Assigned to MIDTOWN MADISON MANAGEMENT LLCreassignmentMIDTOWN MADISON MANAGEMENT LLCSECURITY INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: VIRTUAL INSTRUMENTS CORPORATION, VIRTUAL INSTRUMENTS WORLDWIDE, INC., XANGATI, INC.
Assigned to VIRTUAL INSTRUMENTS WORLDWIDE, INC. F/K/A LOAD DYNAMIX, INC.reassignmentVIRTUAL INSTRUMENTS WORLDWIDE, INC. F/K/A LOAD DYNAMIX, INC.RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS).Assignors: TRIPLEPOINT VENTURE GROWTH BDC CORP., AS THE SECURED PARTY
Assigned to XANGATI, INC.reassignmentXANGATI, INC.RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS).Assignors: TRIPLEPOINT VENTURE GROWTH BDC CORP., AS THE SECURED PARTY
Activelegal-statusCriticalCurrent
Adjusted expirationlegal-statusCritical

Links

Images

Classifications

Definitions

Landscapes

Abstract

A network monitoring system maintains both information regarding historical activity of a network, and information regarding emergent activity of the network. Comparison of historical activity of the network with emergent activity of the network allows the system to determine whether network activity is changing over time. The network monitoring system maintains data structures representing a p.d.f. for observable values of network parameters. Recent activity of the network can be compared with both the p.d.f. for historical activity and for emergent activity to aid in determining whether that recent activity is within the realm of normal, and whether network activity is changing over time. The network monitoring system adjusts that information regarding historical activity of a network in response to emergent activity of that network. The network monitoring device determines information regarding time-dependent activity of that network in response to spectral analysis regarding historical activity of that network.

Description

CROSS-REFERENCE TO RELATED DOCUMENTS
This application claims priority of, the following related documents:
    • U.S. Provisional Patent Application 60/963,233, filed Aug. 3, 2007, titled “Network Monitoring of Behavior Probability Density”, Express Mail mailing number EV 875 991 972 US.
    • U.S. Provisional Patent Application 60/963,229, filed Aug. 3, 2007, titled “Continuous Adaptive Monitoring of Network Behavior”, Express Mail mailing number EV 875 991 990 US.
    • U.S. Provisional Patent Application 60/963,226, filed Aug. 3, 2007, titled “Spectral Analysis of Periodicity in Network Behavior”, Express Mail mailing number EV 875 992 006 US.
Each of these documents is hereby incorporated by reference as if fully set forth herein. These documents are sometimes referred to herein as the “incorporated disclosures”.
BACKGROUND
One known problem when monitoring network activity is that of distinguishing between normal network activity and abnormal network activity. Short-term network activity might represent abnormal activity, might represent a change in normal network activity, or might represent a short-term deviation from normal activity that is itself not problematic. This has the effect that it might become difficult for a network monitoring device to reliably distinguish between those types of network activity that are normal and those types of network activity that are not.
SUMMARY
A network monitoring system maintains both (1) information regarding historical activity of a network, e.g., in response to a relatively long-term review of network behavior, and (2) information regarding emergent activity of the network, e.g., in response to a relatively short-term review of network behavior. Comparison of historical activity of the network with emergent activity of the network allows the network monitoring system to determine whether network activity is changing over time.
The network monitoring system adjusts that information regarding emergent activity of that network in response to information regarding recent activity of that network, so long as that recent activity of that network falls within the realm of normal behavior of that network. From time to time, that information regarding historical activity of the network is adaptively modified in response to information regarding emergent activity of that network.
The network monitoring system adjusts that information regarding historical activity of a network in response to emergent activity of that network. The network monitoring device determines information regarding time-dependent activity of that network, e.g., periodicity of network activity, in response to spectral analysis of that information regarding historical activity of that network.
The network monitoring system may maintain data structures representing a p.d.f. (probability density function) for observable values of network parameters. Such data structures can be maintained both for historical activity of the network and for emergent activity of the network. Recent activity of the network can be compared with both the p.d.f. for historical activity and for emergent activity to aid in determining whether that recent activity is within the realm of normal, and whether network activity is changing over time.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 shows a block diagram of an embodiment of a system of the present invention.
FIG. 2 shows a conceptual view of a process flow in a method.
FIG. 3 shows a conceptual view of another process flow in a method.
FIG. 4 shows an example of a crosspoint traffic data for four weeks.
FIG. 5 shows an example of a periodicity analysis of historical data.
DETAILED DESCRIPTION
This application should be read in its most general form, including, without limitation:
    • References to specific structures or techniques include alternative or more general structures or techniques, especially when discussing aspects of the invention, or how the invention might be made or used.
    • References to “preferred” structures or techniques generally mean that the inventor contemplates using those structures are techniques, and think they are best for the intended application. This does not exclude other structures or techniques for the invention, and does not mean that the preferred structures or techniques would necessarily be preferred in all circumstances.
    • References to first contemplated causes or effects for some implementations do not preclude other causes or effects that might occur in other implementations, even if completely contrary, where circumstances would indicate that the first contemplated causes or effects would not be as determinative of the structures or techniques to be selected for actual use.
    • References to first reasons for using particular structures or techniques do not preclude other reasons or other structures or techniques, even if completely contrary, where circumstances would indicate that the first structures or techniques are not as compelling. The invention includes those other reasons or other structures or techniques, especially where circumstances would indicate they would achieve the same effect or purpose as the first reasons, structures, or techniques.
TERMS AND PHRASES
This application should be read with the following terms and phrases in their most general form. The general meaning of each of these terms or phrases is illustrative, not in any way limiting.
    • The phrase “network monitoring system”, and the like, generally refers to any apparatus or method by which information relating to network traffic is identified or reported. The phrase “network monitoring device”, and the like, generally refers to any apparatus included in a network monitoring system.
    • The phrases “network activity”, “network behavior”, and the like, generally refer to any information relating to status of a network of processing devices. The phrase “network traffic”, and the like, generally refers to any information relating to communication in a network of processing devices.
    • The phrase “historical activity”, and the like, generally refers to any information responsive to a relatively long-term review of network activity.
    • The phrase “emergent activity”, and the like, generally refers to any information responsive to a relatively short-term review of network activity.
    • The phrase “recent activity”, and the like, generally refers to any information responsive to a relatively recent review of network activity.
    • The terms “p.d.f.” and “probability density function”, and the like, generally refer to any information relating to an observed or observable distribution of possible network behavior.
Referring initially toFIG. 1, anetwork monitoring system100 includes elements as shown in theFIG. 1, including at least: a flow processing engine110 (coupled to a communication network), anetwork information buffer120, amonitoring engine130, avirtual bus140, and adatabase server150.
The communication network might include any form of communication pathway, such as, a broadcast or narrowcast network, a bus or crossbar switch or other substantially internal communications path in a computing device, a LAN or WAN, a set of external devices disposed for cluster computing or other distributed computing, an enterprise network or internet or intranet, or otherwise.
Theflow processing engine110 includes aninput port111, coupled to the communication network, capable of receiving information from the network regarding communication flows within that network. Such information regarding communication flows might be received from one or more network routers or other traffic reporting devices, as further described in the incorporated disclosures. While this description includes embodiments in which theflow processing engine110 receives information regarding communication flows, in the context of the invention, there is no particular requirement to so limit theflow processing engine110 or the invention. For example, thenetwork monitoring system100 might alternatively operate using information regarding actual network packet traffic, or other information suitable for the operations described herein.
Thenetwork information buffer120 is coupled to an output of theflow processing engine110, and is capable of receiving network information relating to activity of the communication network. In one embodiment, that network information includes a set of virtual packets, as further described in the incorporated disclosures. While this description includes embodiments in which thenetwork information buffer120 receives a set of virtual packets, in the context of the invention, there is no particular requirement to so limit thenetwork information buffer120 or the invention. For example, thenetwork monitoring system100 might alternatively operate using other information suitable for the operations described herein.
Themonitoring engine130 reads information from thenetwork information buffer120 and determines substantially instantaneous values for observable values of network parameters.
In one embodiment, these observable values include a bit rate (expressed in bits per second, or an equivalent thereof), a packet rate (expressed in packets per second, or an equivalent thereof), a communication density (expressed as number of concurrent communication partners, or an equivalent thereof), and a communication burstiness (expressed as a change in bit rate, or an equivalent thereof). While this description includes embodiments with regard to these particular observable parameters, in the context of the invention, there is no particular requirement to so limit themonitoring engine130 or the invention. For example, thenetwork monitoring system100 might alternatively operate using a first or second derivative of any of these parameters, or other information suitable for the operations described herein.
Thevirtual bus140 provides for communication among elements of thenetwork monitoring system100, such as elements shown in theFIG. 1, including at least: themonitoring engine130 and thedatabase server150. Such communication might be conducted using a set of subscription channels, as further described in the incorporated disclosures. While this description includes embodiments in which communication uses subscription channels, in the context of the invention, there is no particular requirement to so limit thevirtual bus140 or the invention. For example, thenetwork monitoring system100 might alternatively operate using a blackboard communication system, interprocess communication, or other techniques suitable for the operations described herein.
Thedatabase server150 maintains a database of information for use by elements of thenetwork monitoring system100. Thedatabase server150 includes elements as shown in theFIG. 1, including at least: anhistorical histogram151 regarding historical activity of the network, anemergent histogram152 regarding emergent activity of the network.
Thehistorical histogram151 and theemergent histogram152 each include a set ofbuckets153, disposed in a sequential order for observable values of a parameter relating to network activity, and may be marked with a timestamp indicating at what time those observable values were detected, and include a set of time-stamped bins, each marked with a selected time offset from a beginning of a selected time duration. For example, where that parameter includes a bit rate, the set ofbuckets153 might include
    • a 1stbucket153 for less than 101bits per second,
    • a 2ndbucket153 for at least 101bits per second but less than 102bits per second,
    • a 3rdbucket153 for at least 102bits per second but less than 103bits per second,
    • a 4thbucket153 for at least 103bits per second but less than 104bits per second,
    • a 5thbucket153 for at least 104bits per second but less than 105bits per second,
    • a 6thbucket153 for at least 105bits per second but less than 106bits per second,
    • a 7thbucket153 for at least 106bits per second but less than 107bits per second, and
    • an 8thbucket153 for at least 107bits per second.
While this description includes embodiments in which there are this particular number of buckets and in which the buckets are have an exponentially distributed size, in the context of the invention, there is no particular requirement thatbuckets153 or the invention should be so limited. For example, thenetwork monitoring system100 might alternatively operate using a different number ofbuckets153, a Gaussian or other distinct distribution of sizes for thosebuckets153, a different set of data for thosebuckets153, or other information suitable for the operations described herein.
In eachbucket153, thedatabase server150 maintains a count of an observed set of values as reported by themonitoring engine130. This has the effect that thehistorical histogram151 and theemergent histogram152 each represent observed activity of the network, with more frequent activity being represented bybuckets153 having a larger count of their respective observed set of values and with less frequent activity being represented bybuckets153 having a smaller count of their respective observed set of values. This has the effect that thehistorical histogram151 and theemergent histogram152 each represent a p.d.f. (probability distribution function) of network activity.
While this description includes embodiments in which thehistorical histogram151 and theemergent histogram152 each represent a p.d.f. (probability distribution function) of network activity, in the context of the invention, there is no particular requirement that thehistorical histogram151 and theemergent histogram152, or the invention, should be so limited. For example, thenetwork monitoring system100 might alternatively operate using a histogram representing other information, such as for example a cumulative probably distribution function, or other information suitable for the operations described herein.
Thehistorical histogram151 represents observed historical activity of the network, i.e., information responsive to a relatively long-term review of network activity. Theemergent histogram152 represents observed emergent activity of the network, i.e. information responsive to a relatively short-term review of network activity. This has the effect that, should the nature of network activity change, that change will first be reflected in theemergent histogram152, and only later be reflected in thehistorical histogram151. This has the effect that any significant differences between theemergent histogram152 and thehistorical histogram151 can be used to detect any significant changes in the nature of network activity. Accordingly, from time to time, thehistorical histogram151 is adjusted to reflect changes in theemergent histogram152.
This also has the effect that recent network activity can be compared both with thehistorical histogram151 and with theemergent histogram152. Should recent network activity differ significantly from thehistorical histogram151, this might indicate relatively unusual network activity. Should recent network activity differs significantly from theemergent histogram152, this might indicate relatively unusual network activity, or might alternatively indicate the occurrence of changes in the nature of network activity.
Accordingly, thenetwork monitoring device100 compares recent network activity with thehistorical histogram151 to determine whether that recent network activity is relatively unusual. Thenetwork monitoring device100 compares recent network activity with theemergent histogram152 to determine whether that recent network activity indicates an ongoing change in the nature of network activity.
This has the effect that, so long as theemergent histogram152 is consistent with thehistorical histogram151, any recent network activity that differs from theemergent histogram152 would indicate an ongoing change in the nature of network activity. In contrast, theemergent histogram152 might be inconsistent with thehistorical histogram151, in which case any recent network activity would be reflected in theemergent histogram152, with the effect that any ongoing change in the nature of network activity would become reflected in theemergent histogram152.
Referring toFIG. 2, amethod200 of flow markers and process steps is illustrated and described as follows:
Aflow marker200A indicates a beginning of themethod200. Although described sequentially, the flow markers and process steps shown with regard to themethod200 may be performed concurrently, in parallel, pipelined, or otherwise, with the effect that those flow markers and process steps might be performed substantially simultaneously with respect to distinct data.
Themethod200 proceeds with theflow marker210. Aflow marker210 indicates that themethod200 is ready to compute histograms.
At astep211, thenetwork monitoring system100 has access to anhistorical histogram151, a “last known good” emergent histogram152 (sometimes referred to herein as152a), and an “in construction” emergent histogram152 (sometimes referred to herein as152b). Thehistorical histogram151 includes a set of acceptable observable values, and a set of threshold values indicating how far from the acceptable observable values actual recent network activity may stray without being regarded as abnormal network activity.
At astep212, thenetwork monitoring system100 receives substantially instantaneous values for observable values of network parameters. In one embodiment, as described above, these observable values can be read from thevirtual bus140 or from thedatabase server150.
At astep213, thenetwork monitoring system100 compares the observable values, received in theprevious step212, with thehistorical histogram151. If the observable values are inconsistent with thehistorical histogram151, i.e., if the observable values stray outside the set of acceptable observable values by more than the threshold values described with respect to thestep211, thenetwork monitoring system100 concludes that the observable values represent abnormal network activity.
If thenetwork monitoring system100 concludes that the observable values from recent network activity represent abnormal network activity, themethod200 proceeds with thenext step214, at which step those observable values from recent network activity can be disregarded, along with the “in construction” emergent histogram152b.
If thenetwork monitoring system100 concludes that the observable values from recent network activity represent normal network activity, anymethod200 skips thenext step214, and proceeds with thestep215, at which step the observable values from recent network activity can be integrated into the “in construction” emergent histogram152b.
At astep214, thenetwork monitoring system100 replaces the “in construction” emergent histogram152bwith the “last known good” emergent histogram152a. Themethod200 waits for a selected time duration, for network activity to return to normal, after which themethod200 proceeds with thestep211.
At astep215, thenetwork monitoring system100 integrates the observable values from recent network activity into the “in construction” emergent histogram152b. In one embodiment, thenetwork monitoring system100 computes an exponential moving average for eachbucket153 and the “in construction” emergent histogram152b, i.e., thenetwork monitoring system100 computes an exponential moving average of the previously-recorded value for eachbucket153 and a new value associated with the observable values for thatsame bucket153, and replaces the recorded value in thatsame bucket153 with the new exponential moving average.
Thenetwork monitoring system100 computes the “in construction” emergent histogram152b, using the exponential moving average as described in theprevious step215, for a first selected time duration. During that first selected time duration, thenetwork monitoring system100 repeats thestep211, thestep212, thestep213, and thestep215, so long as the observable values remain within what thenetwork monitoring system100 considers normal network activity. After that first selected time duration, thenetwork monitoring system100 pauses its computation of the exponential moving average, and executes the followingstep216.
At astep216, thenetwork monitoring system100 replaces the “last known good” emergent histogram152awith the values computed in the “in construction” emergent histogram152b. This has the effect of preserving the computed exponential moving average recorded in the “in construction” emergent histogram152bas the new “last known good” emergent histogram152a.
After preserving the computed exponential moving average by replacing the “last known good” emergent histogram152awith the “in construction” emergent histogram152b, themethod200 proceeds with thestep211, to continue adjusting theemergent histogram152.
Aflow marker220 indicates that themethod200 is ready to compute historical histograms. Thenetwork monitoring system100 maintains the “last known good” emergent histogram152a, for a second selected time duration. During that second selected time duration, thenetwork monitoring system100 repeats thestep211, thestep212, thestep213, thestep215, and thestep216, so long as the observable values remain within what thenetwork monitoring system100 considers normal network activity. After that second selected time duration, thenetwork monitoring system100 pauses its maintenance of the “last known good” emergent histogram152a, and executes the followingstep221.
At astep221, thenetwork monitoring system100 computes an adaptive modification of thehistorical histogram151, in response to the “last known good” emergent histogram152a. To perform this step, thenetwork monitoring system100 computes a new value for eachbucket153 of thehistorical histogram151, as follows:
(historical bucket value)new=λ(historical bucket value)old+(1−λ)(“last known good” bucket value)new
In one embodiment, the parameter λ might equal approximately 0.8, i.e., 80% (i.e., λ) of the old historical bucket value is maintained and 20% (i.e., 1−λ) of the emergent bucket value is substituted.
After adaptively modifying thehistorical histogram151, themethod200 proceeds with theflow marker210, to continue adjusting theemergent histogram152.
Aflow marker200B indicates an end of themethod200.
Referring toFIG. 3, a conceptual diagram of a process flow in a method is illustrated and described as follows:
Aflow marker300A indicates a beginning of themethod300. Although described sequentially, the flow markers and process steps shown with regard to themethod300 may be performed concurrently, in parallel, pipelined, or otherwise, with the effect that those flow markers and process steps might be performed substantially simultaneously with respect to distinct data.
Themethod300 proceeds with theflow marker310. Aflow marker310 indicates that themethod300 is ready to average time-dependent observations.
At astep311, thenetwork monitoring system100 has access to the set of substantially instantaneous values for observable values of network parameters, each marked with a timestamp indicating at what time those observable values were detected. At this step, thenetwork monitoring system100 also has access to the set of time-stamped bins, each marked with a selected time offset from a beginning of a selected time duration.
At astep312, thenetwork monitoring system100 allocates the set of substantially instantaneous values for observable values of network parameters, each to an associated time-stamped bin. This has the effect that all time-stamped observations preferably are allocated to an associated time-stamped bin matching the offset of that time-stamped observation from the beginning of a selected time duration.
In one embodiment, the selected time duration should be at least about four weeks, with the effect that time-dependent patterns in the observable values can be readily detected.
In one embodiment, the selected number of time-stamped bins should be a power of two, with the effect that an FFT (Fast Fourier Transform) can readily be performed for the data maintained in those time-stamped bins.
At astep313, thenetwork monitoring system100 averages the observable values for each time-stamped bin. This has the effect that multiple observable values, each allocated to a common time-stamped bin, preferably are averaged to produce a single value associated with that time-stamped bin, i.e., associated with the offset of that time-stamped bin with respect to the selected time duration.
For one example, when examining a set of observable values occurring over a selected time duration of four weeks, and when allocating those observable values to a set of 8,192 (213) separate time-stamped bins, each such time-stamped bin would have an allocated duration of approximately 295.31 seconds. For each such time-stamped bin, thenetwork monitoring system100 averages all observable values whose timestamp falls into that common bin. Where those observable values include bit rate information, those bit rates can be averaged within each time-stamped bin.
Themethod300 proceeds with theflow marker320. Aflow marker320 indicates that themethod300 is ready to perform an FFT (Fast Fourier Transform).
At astep321, thenetwork monitoring system100 performs an FFT operation on the averaged data that was computed for each time-stamped bin. This has the effect of producing a sequence of complex number values, each representing a coefficient of a sine wave or cosine wave from transforming the (averaged) observable values from a time domain into a frequency domain.
At astep322, thenetwork monitoring system100 computes a magnitude of each such complex coefficient. A magnitude of a complex coefficient can readily be computed as follows:
x+yi∥=√(x2+y2)
Themethod300 proceeds with theflow marker330. Aflow marker330 indicates that themethod300 is ready to interpret a result of the FFT (Fast Fourier Transform).
At astep331, thenetwork monitoring system100 sorts the magnitudes determined for each frequency in rank order.
It is expected that the magnitude associated with a zero frequency, i.e., a DC coefficient, will be relatively largest, as (for bit rate information) this represents an average amount of bit rate traffic over time. This value is expected to be greater than zero, as bit rate is expected not to ever be negative.
At astep332, thenetwork monitoring system100 determines if there are any other frequencies for which the magnitude of the frequency coefficient is substantial. For one example, thenetwork monitoring system100 might determine if there is are any other frequencies for which that magnitude is statistically significant above zero. If there is no such frequency, thenetwork monitoring system100 determines that there is no significant periodicity to the observable values. Without significant periodicity to the observable values, themethod300 proceeds with theflow marker300B, where themethod300 ends.
If there is any such frequency for which there is significant periodicity, themethod300 proceeds with theflow marker340. Aflow marker340 indicates that themethod300 is ready to re-computes profiles with respect to particular periodic frequencies.
At astep341, thenetwork monitoring system100 re-computes a profile with respect to each particular periodic frequency. It is expected that the most common frequencies to exhibit periodicity would be daily (a frequency of 28 in a four-week data set) and weekly (a frequency of 4 in a four-week data set).
In one embodiment, thenetwork monitoring system100 re-computes profiles with respect to particular periodic frequencies as follows:
    • Where thenetwork monitoring system100 detects both daily periodicity and weekly periodicity, thenetwork monitoring system100 re-computes profiles for a weekly time duration.
    • Where thenetwork monitoring system100 detects daily periodicity but not weekly periodicity, thenetwork monitoring system100 re-computes profiles for a daily time duration.
    • Where thenetwork monitoring system100 detects neither daily periodicity nor weekly periodicity, thenetwork monitoring system100 does not re-compute profiles for any periodic time duration.
Aflow marker300B indicates an end of themethod300.
Examples of Specific Applications
The following examples of specific applications illustrate some aspects of the techniques previously discussed in conjunction with other techniques. It should be understood that this application is not limited to these specific examples. Also, the steps of any methods and/or techniques described below can be performed in a different order than shown, pipelined, threaded, or in other ways. Some steps might be omitted in some applications, and additional steps may be added.
Crosspoints
The term “crosspoint” generally describes an entity which can be determined by training, creating a baseline, and eventually detecting symptoms. Four types of crosspoints are generally profiled: IDs (named network endpoints), Applications, Locations, Interfaces, and Time Periods. Both incoming and outgoing activity for each of these crosspoints may be profiled.
ID and Application crosspoints may be automatically generated using a discovery process, followed by an object creation process. The discovery process looks at flows representing packets on the network. From each flow, it extracts information corresponding to some of the original packet header information for each packet (src/dst IP address, port, and protocol), and creates a virtual packet with that information.
To generate potential ID crosspoints, the discovery process preferably keeps an exponential moving average (EMA) of the bit rate and packet rate for each IP address that it sees. If or when the EMA exceeds a certain user-defined threshold, then this IP address becomes a candidate for ID creation. If possible, a reverse DNS lookup may be used to determine the name. If successful, a name may be generated from its LDAP Owner field of the ManagedBy attribute and use the owner name instead of the DNS name. If unsuccessful, the name may be derived from its MAC address obtained via an SNMP query of the endpoint. Alternatively, the system user may declare that this area of the network is “static,” in which case a name may be created using the IP address and a user-supplied suffix.
Profiling Crosspoints
Once the potential ID-base crosspoints have been generated, they preferably are written to a text file. Another process can periodically check this file and creates the ID crosspoints from it. This creation may be throttled to help prevent the system from being overwhelmed with simultaneous creation of large numbers of IDs.
To generate potential application-based crosspoints, the discovery process preferably checks the port of each virtual packet. If the port is a well-known port for a known application, or if it is a port that already has been assigned for a particular application, then traffic for that port can be accounted for in the bit rate and packet rate of the application. However, if the port is not already mapped to an application, then the discovery process can keep an EMA of the bit rate and packet rate for that port. If or when the EMA exceeds the user-defined threshold, then the port can be a candidate to become an application.
These ports that are potential applications can be written to a text file. Another process can periodically check this text file and displays these ports to the user. Users can either specify for these ports to become new application(s), or they can specify for them to join existing application(s), for example.
The location-based crosspoints can be specified by the system user in terms of subnet addresses to be included and/or ignored. The Interface-based cross-points can be discovered interfaces associated with flow data. The time period-based crosspoints can be pre-specified as particular hours of a workday or non-workday.
Rate Profiling Metrics
Current network traffic for each crosspoint can be monitored using an exponential moving average (EMA). Several metrics for each profile point preferably are continually being updated based on this EMA. These metrics, which are occasionally baselined and saved as profiles, enable the system to understand “normal” behavior for this crosspoint. The current traffic EMA may then be compared with these baselined profiles at any time to determine whether the network behavior is normal.
Two metrics that may be stored for each profile point are the minimum and maximum for four different values: packet rate, bit rate, interaction rate, and burstiness.
The packet rate and bit rate values can be the EMA values updated periodically, such as once per second for example, using the average packet rate and average bit rate for that second.
Interaction rate is a measure of how many IP addresses are actively:
    • sending to or receiving from an ID profile point;
    • using an application (for an application profile point);
    • sending to or receiving from a location profile point;
    • sending to or receiving from an Interface profile point; or
    • sending or receiving traffic during that time period (for a time period profile point).
Burstiness is the rate of change of bit rate. The literature discusses several commonly used measures of traffic burstiness:
    • peak-to-mean ratio,
    • coefficient of variation of inter-arrival times,
    • the indices of dispersion for intervals and counts, and
    • the Hurst parameter for self-similar distributions.
Using the peak-to-mean ratio can be an efficient metric to calculate realtime. It may be computed by taking the ratio of the peak of a very short-term rate to a long-term average rate; comparing, for example, the peak of a 1-second EMA (over a 5-minute interval) with a 5-minute EMA.
The minimum and maximum EMA values for these various metrics allow symptoms (or abnormalities) to be flagged that are higher than normal (hyper) or lower than normal (hypo).
Affinity Profiling Metrics
In addition to rate profiling metrics, each crosspoint has affinity profiling metrics. Affinity represents the strength of correspondence between the crosspoint and another specific entity (called an “affinity point”). The affinity metric can be bit rate, bit rate*pkt rate (in order to allow both factors to positively influence the metric), or something else.
For each type of crosspoint, here are some, but not necessarily all, of the potential types of affinity points:
IDs:
    • Other IDs (which IDs does an ID communicate with),
    • Applications (which Apps does an ID use),
    • Locations (the ID belongs to which locations), and
    • Time Periods (the ID communicates during which particular time periods(s) of the day).
Applications:
    • IDs (which IDs are using this application),
    • Locations (this application is being run to/from which locations),
    • Interfaces (the Interfaces on which this application is delivered/consumed), and
    • Time Periods (the application is being used during which particular time period(s) of the day).
Locations:
    • IDs (which IDs are the most active at this location),
    • Applications (which applications are being run from this location),
    • Interfaces (the Interfaces which are associated with this location), and
    • Time Periods (the location is handling traffic at which particular times of the day).
Interfaces:
    • IDs (which IDs are the most active on this interface),
    • Applications (which applications are being run most heavily on this interface),
    • Locations (which locations are most active on this interface), and
    • Time Periods (the interfaces are active on which particular time periods).
Time Periods:
    • IDs (which IDs are the most active during this time period),
    • Applications (which applications are being run most heavily during this time period),
    • Interfaces (which interfaces are most active during this time period), and
    • Locations (which locations are most active during this time period).
      Affinity Profile Using Long Term EMA
For each profile point, train by tracking the metric's long-term EMA for each affinity point. (A long-term EMA is one where past data is weighted more heavily, and thus the metric is smoother over time compared with a normal EMA.) After some amount of training time, save several affinity points that have the top long-term averages and disregard the rest; this set becomes the “affinity profile.”
When comparing the current state with the affinity profile, when the current state is abnormal can be identified compared with the affinity profile, plus determine whether it's a “hypo” or “hyper” symptom. By summing the squared differences between the affinity profile and the current traffic, a metric of the overall amount of difference can be determined, which then can be compared against a threshold to determine whether it's significant enough to be “abnormal.” If it is, then by summing across these top affinity points for both the affinity profile and the current traffic, it may be determined whether it is hyper or hypo.
Affinity Profile Using Normal EMA
For each profile point, train by tracking the metric's normal EMA for each affinity point, saving the max and min values. After some amount of training time, save several affinity points that have the top EMA values and disregard the rest; this set becomes the affinity profile. To compare the current state with the affinity profile, compare each affinity point's current value one-by-one with the affinity profile. If it is greater than the max or less than the min, then it gets flagged as a difference. It then can be determined whether the overall difference across all profile points is significant enough to become a symptom event.
Symptom Detection Mechanism
Once the profile is in place, the detection mechanism can be determined by testing each crosspoint once per second using both the basic tests and the complex tests. If one of the tests signals an abnormality (i.e., the current EMA is significantly less than the minimum threshold, significantly more than the maximum threshold, or significantly different than the histogram), then a flag can be set for that profile point. If the crosspoint continues to experience the abnormality for a specified period, then it can be declared a “symptom event” and interested processes can be notified.
For a hyper abnormality, the detection mechanism attempts to determine further information about the excessive activity: where it's primarily coming from (for an incoming abnormality) or going to (for an outgoing abnormality), which protocol was primarily involved, and which port was primarily involved. We obtain this information by monitoring the IP addresses, ports, and protocols for all packets corresponding to a profile point involved in a hyper abnormality.
The predominant IP address can be determined by updating an EMA value for each matching IP address in an IP address tree as packets arrive. Tree nodes corresponding to IP addresses that don't receive packets will be aged, and eventually pruned from the tree if their EMA value gets small enough. Nodes with significant EMA values will stay on the tree. Periodically the EMA values from the tree get sorted, and the top IP address can be determined. If the top address has a significantly higher EMA than the other addresses, then it can be considered a predominant address and can be reported in the notification.
The port and protocol can be found in a similar manner, but use arrays rather than trees. The EMA values corresponding to different ports and protocols get continually updated as packets arrive; they also periodically get aged, and possibly can be purged if their EMA value is small enough. Periodically the arrays can be sorted, and the top port and protocol emerge. If they have a significantly higher EMA than the others, then they will be reported in the notification.
The symptom event will continue until the profile point experiences a specified period without any abnormalities. Once this occurs, the symptom event can be deemed over.
Accounting for Sampling During Profiling and Detecting
There are generally three areas where sampling can be used in profiling or detecting:
    • The smoothing factor used during the calculations of the average packet inter-arrival time is typically 0.001, for example. However, if the sample rate is less than 1 in 5 (0.2), then the smoothing factor gets adjusted upward so that it is proportional to the inverse of the sampling rate. Otherwise, the smoothing factor may be too small and cause the EMA to rise too slowly due to the sampling and relatively low packet rates. If the sampling rate is really low (less than 1 in 5000), then the smoothing factor will be 1, which effectively means there is no smoothing.
    • When checking for hypo symptoms, a fixed number of bits or packets can be added to the current rate, then the result can be compared against the corresponding profile. When the sampling rate is less than 1, this fixed number of bits or packets can be first multiplied by the sampling rate.
    • Source or destination IP address tree pruning takes sampling into account so that nodes get pruned from the tree when their current EMA drops to less than the sampling rate. If there is an ongoing hyper symptom involving those nodes, then they won't be pruned until the symptom has expired.
      Progressive Profiling
The profiling and detection mechanisms can operate in parallel. Periodically the profiling calculations can be updated as well as the detection calculations. If the detection mechanism indicates that an abnormality is present, then profiling can be temporarily stopped to avoid profiling on “bad” traffic patterns. As soon as the abnormality has ended, profiling resumes, beginning with the last saved good profile.
In order to declare an abnormality or symptom, the traffic levels may be a specified amount higher (than max), lower (than min), or different (than histograms). If the traffic levels are only slightly outside the previously observed ranges and not exceeding the specified amount, profiling continues without declaring an abnormality. This permits the profiles to adapt to naturally changing traffic environments. However, as soon as the differences are greater than the specified limit, profiling can be stopped and an abnormality can be declared.
After a specified amount of time has elapsed where the training profile for a crosspoint (known as the “emerging profile”) has stabilized, the profile mechanism automatically updates the baseline profile used for detection (known as the “active profile”). It uses the emerging profile to update the active profile. This update calculation can be performed as an EMA calculation itself. The smoothing factor used for this profile update varies based on whether the emerging profile is trending higher or lower than the active profile. The upwards smoothing factor can be generally less than the downwards smoothing factor, allowing for quicker learning about new high traffic rates and slower “forgetting” about high traffic levels from the past.
Once the emerging profile has been used to update the active profile, the emerging profile cane be reset, and profile training can be restarted.
When a crosspoint is first created, its active profile is typically set to be accommodating: for example, its minimum threshold may be set to 0, its maximum may be set to a very high value, and its histogram bins may show a uniform distribution. This allows the crosspoint to initially see all of its traffic without initially declaring abnormalities.
The crosspoint's emerging profile is typically initialized in the opposite way: its maximum threshold may be set to 0 and its minimum threshold may be set to a very high value. As the crosspoint trains on traffic, this allows the maximum threshold to be able to decrease monotonically to its correct value, and the minimum threshold to be able to increase monotonically to its correct value. The histogram starts with a uniform distribution.
During the first auto-updating cycle, rather than using the exponential smoothing calculation, the active profile can be replaced with the emerging profile. Otherwise it could take a relatively long time for the active profile to converge to a reasonable set of values. For other auto-updating cycles, the EMA calculation may be used.
Retrospective Profiling
One possible alternative to progressive profiling is to profile based on historical data that is stored in the database, permitting additional analysis to be performed on the data during profiling, such as discarding a specified % of outliers. Possible steps for performing such “retrospective profiling” process include the following:
    • 1. Obtain preferably all data from the database corresponding to the specified dates for the specified crosspoint. It can be helpful to independently analyze “working days” and “off days.”
    • 2. If certain time periods in the database don't contain any data, zero traffic can be assumed for those periods.
    • 3. Any days that have symptoms preferably are ignored, unless the user specifically indicates that symptom data can be used for profiling.
    • 4. The data is sorted.
    • 5. If a specified percentage of outliers are to be discarded, those outliers are removed from the sorted dataset.
    • 6. Profiles can be generated on the resulting data. These profiles can be max/min profiles, histogram profiles, or any other profile characterization.
Retrospective profiling preferably is done periodically (such as once a week) with the schedule being staggered for different measures of each crosspoint. Initially, there can be a blank current profile. When a new profile is computed, the new profile can replace the current profile (preferably instantly). Unlike progressive profiling, there is no notion of convergence of the emerging profile; rather, new profile when can be ready for immediate use as the current profile once computed.
Spectral Analysis of Crosspoint Historical Data
Referring toFIGS. 4 and 5, many crosspoints' traffic patterns may vary based on the time of day and/or the day of the week. From a profiling standpoint, this periodicity may be captured so that symptom detection is generally more effective. The spectral analysis technique analyzes the traffic behavior for a particular cross-point and determines whether or not it shows daily or weekly periodicity. If so, then the profiling engine takes that into account and profile each day or day-of-week separately; if not, then there creation of separate profiles for different time intervals for that crosspoint may not be necessary.
Determining Crosspoint Periodicity
One technique for determining crosspoint periodicity includes the following steps:
    • Retrieve (preferably) all bitrate data from the database for a particular crosspoint for the past several weeks (for example four may be used in order to trust patterns in the data). For an example, seeFIG. 4.
    • Divide the total time period into evenly spaced bins, where the total number of bins are a power of 2. For example, running for 4 weeks with 8192 bins results in each bin having a size of 295.3125 seconds. For each bin, all bitrate datapoints whose timestamp falls into that bin can be averaged.
    • Run a Fast Fourier Transform (FFT) on this data set. The result of the FFT is a set of complex numbers corresponding to the coefficients of sine and cosine waves for different frequencies that could be added together to reconstruct the original set of datapoints.
    • Find the magnitude of each complex coefficient by taking the square root of the sum of squares of the real and imaginary terms.
    • Sort the magnitudes to determine which frequencies are dominant, and interpret the results.
The zero frequency term typically is the most dominant, corresponding to a constant term that allows the average traffic level to be positive. If the next most dominant term corresponds to a daily frequency (28 in the 4-week example) or a weekly frequency (4 in the 4-week example), then the traffic exhibits periodicity (SeeFIG. 5).
Another technique for determining crosspoint periodicity includes the following steps:
    • Retrieve (preferably) all bitrate data from the database for a particular crosspoint for the past several weeks (for example four may be used in order to trust patterns in the data). For an example, seeFIG. 4.
    • Divide the total time period into evenly spaced bins, where the total number of bins are a power of 2. For example, running for 4 weeks with 8192 bins results in each bin having a size of 295.3125 seconds. For each bin, all bitrate datapoints whose timestamp falls into that bin can be averaged.
    • Run a series of pair-wise correlations among the various days' data. For each pair of days, first run a correlation where the times are properly aligned (e.g., 1 a.m. Monday correlating with 1 a.m. Tuesday). Then run correlations where the times are out of alignment by one hour (e.g., 1 a.m. Monday correlating with 2 a.m. Tuesday), then by two hours (e.g., 1 a.m. Monday correlating with 3 a.m. Tuesday, etc.), and so on.
    • Average the aligned correlations, then average the correlations representing a shift by 1 hour, then average the correlations representing a shift by 2 hours, and so on. This results in a set of 24 average correlation values.
    • Analyze these average correlation values. For the endpoint to be periodic, the average aligned correlation must be very high, and it must be significantly higher than the shifted average correlation data.
      Profiling Periodic Crosspoints
If a crosspoint exhibits periodicity, then it can be profiled accordingly. For crosspoints with a dominant weekly periodicity, each time period can be independently profiled for a week.
    • For crosspoints with a dominant daily periodicity and a dominant weekly periodicity, each time period can be profiled for a week.
    • For crosspoints with a dominant daily periodicity but no dominant weekly term, each time period can be profiled for a day.
    • And for crosspoints without dominant daily or weekly periodicity terms, time-based profiling for a crosspoint is generally not done.
One technique for profiling a crosspoint the exhibits daily periodicity includes the following steps:
    • Run a Fast Fourier Transform (FFT) on the data set. The result of the FFT is a set of complex numbers corresponding to the coefficients of sine and cosine waves for different frequencies that could be added together to reconstruct the original set of datapoints.
    • Find the magnitude of each complex coefficient by taking the square root of the sum of squares of the real and imaginary terms.
    • Sort the magnitudes to determine which frequencies are dominant. Remove (preferably) all frequency terms except for the top few frequencies.
    • Run an inverse FFT on these remaining terms. The result is a smoothed version of the original time domain data set.
    • Bin the data into hourly increments, and determine the max and the min for each hour across all days. For example, find the max and min for the 0:00-1:00 hour across all days, then find the max and min for the 1:00-2:00 hour across all days, and so on. This results in a traffic envelope that varies hour-by-hour for a full day.
    • Determine how well the original database data fits within this envelope. If more than a specified outlier percentage of the original data falls outside the envelope, then slowly increase the envelope size until the specified outlier percentage is maintained.
The result should be a profile defined by max and min values, varying hour by hour, that has at most a specified outlier percentage.
Multidimensional Crosspoint Profiling
Combinations of four crosspoint types (IDs, Applications, Locations, and Time Periods) may also be profiled, thus gaining a finer crosspoint granularity for profiling and detection and may include the following combinations of two, three, or four crosspoint types:
    • ID×Application: profile each application running on each endpoint
    • ID×Location: profile each endpoint's behavior at each location
    • ID×Interface: profile each endpoint's behavior at each interface
    • ID×Time Period: profile each endpoint's behavior at various points in time
    • Application×Location: profile each application running at each location
    • Application×Interface: profile each application using each interface
    • Application×Time Period: profile each application running at various points in time
    • Location×Interface: profile each interface associated with each location
    • Location×Time Period: profile traffic behavior at each location for various points in time
    • Interface×Time Period: profile traffic behavior at each interface for various points in time
    • ID×Application×Time Period: profile applications being run by each endpoint at various points in time
    • ID×Location×Time Period: profile endpoints' traffic behavior at various locations for various points in time
    • ID×Application×Location: profile applications being run by each endpoint at various locations
    • ID×Application×Interface: profile applications being run by each endpoint at various interfaces
    • ID×Location×Interface: profile endpoints' traffic behavior at various locations using various interfaces
    • ID×Interface×Time Period: profile endpoints' traffic behavior using each interface at various points in time
    • Application×Location×Time Period: profile applications being run at various locations for various points in time
    • Application×Location×Interface: profile applications being run at various locations using each interface
    • Application×Interface×Time Period: profile applications being run at each interface for various points in time
    • Location×Interface×Time Period: profile each interface at each location for various points in time
    • ID×Application×Location×Time Period: profile applications being run by each endpoint at various locations for various points in time
    • ID×Application×Location×Interface: profile applications being run by each endpoint at various locations across various interfaces
    • ID×Application×Interface×Time Period: profile applications being run by each endpoint across various interfaces at various points in time
    • ID×Location×Interface×Time Period: profile endpoints' traffic behavior using each location for various interfaces at various points in time
    • Application×Location×Interface×Time Period: profile applications being run from each location across various interfaces at various points in time
    • ID×Application×Location×Interface×Time Period: profile applications being run by each endpoint from each location across various interfaces at various points in time.
For example, by profiling combinations of ID×Application, expected behavior may be determined, and symptoms flagged at a finer granularity. This in turn may allow the correlation engine to more easily hone in on the problem.
Note that each crosspoint may have several measures associated with it including the rate measures of packet rate, bit rate, burstiness, and interaction rate (with other crosspoints) as well as an affinity measure with other crosspoints.
Note that Time Period may not be applicable if the Spectral Analysis results indicate that the crosspoint is not dependent upon time. In those cases, the combinations would typically not be profiled.
Histogram-Based Representation
The profiling and detection engines can utilize histograms to augment the minimum/maximum thresholds. These histograms preferably are calculated for the same metrics as the thresholds: bitrate, packetrate, burstiness, and interaction rate. The histograms may be constructed as follows:
    • The overall potential range of each traffic metric may be predetermined based on the metric. This overall range can then be segmented into several smaller bins for the histogram. The bins can be constructed with a log scale so that the lower bins have finer granularity, and the higher bins have coarser granularity. The highest bin typically includes all data points greater than some value; the lowest bin typically has a lower bound of 0.
    • Each bin holds its ongoing EMA statistics (which get updated periodically, say every N minutes), plus its count for the current period.
    • At the end of a time period such as every second, the counts can be updated for the past interval. Each metric falls into a particular bin, so the count for that bin can be incremented.
    • At the end of N minutes, for example, there will be N×60 data points collected into the histogram bins (for a time period of one second). The relative frequency can be calculated for each bin for those N×60 points.
    • Those relative frequencies can then be used to perform an EMA calculation to update the EMA statistics for each histogram bin.
Each bin thus has its own EMA calculations, providing ongoing relative frequencies for each metric. The result can be a histogram reflecting the distribution of the metrics over time.
Symptom Detection Using Distribution-Based Probability Analysis
As with the minimum and maximum thresholds, the profiling and detection engines may maintain two sets of histograms for each crosspoint: one for training (the “emerging profile”) and one for detecting (the “active profile”), for example.
The active profile's histograms may be used for detection as follows.
    • As described previously, the overall range for each traffic metric can be segmented into several smaller bins. Each bin holds its EMA statistics, which get updated every N minutes, plus its counts for the current period. Counts can be incremented every second based on the metric value during the past one second interval, for example.
    • At the end of N minutes, we calculate the relative frequency for each bin for the N×60 data points. Before using this relative frequency to update the EMA statistics for each bin, these relative frequencies and the baselined active profile histogram can be compared.
    • The deviation of the current relative frequency from the active threshold can be calculated using the sum of squared differences across all bins. When this deviation is greater than a predetermined threshold for a pre-determined number of periods, then a symptom can be declared.
    • Once a symptom is declared, the detection engine preferably determines the type of symptom. The symptom could be:
      • Hyper: the current relative frequency for the higher bins is greater than those of the higher bins for the active threshold;
      • Hypo: the current relative frequency for the lower bins is greater than those of the lower bins for the active threshold; or
      • Sundry: there is no dominant hyper or hypo trend, but there still is a significant deviation in the distribution.
ALTERNATIVE EMBODIMENTS
After reading this application, those skilled in the art will recognize that the invention has wide applicability, and is not limited to the embodiments described herein. It is to be understood that while certain forms of this invention have been illustrated and described, it is not limited thereto, except in so far as such limitations are included in the following claims and allowable equivalents thereof.

Claims (22)

The invention claimed is:
1. A method, including steps of
maintaining, at a network monitoring device, information regarding long-term historical activity of a network;
maintaining information regarding short-term activity of that network;
receiving information regarding recent activity of that network;
comparing that information regarding recent activity with that information regarding long-term activity, and determining the presence of abnormal activity in response to a result of said steps of comparing recent with long-term activity;
comparing that information regarding recent activity with that information regarding short-term activity, determining the presence of changes in network activity in response to a result of said steps of comparing recent with short-term activity, and updating that short-term activity if and only if that information regarding recent activity is within normal behavior for that network;
comparing that information regarding short-term activity with that information regarding long-term activity, and determining the presence of changes in network activity in response to a result of said steps of comparing short-term with long-term activity, and updating that long-term activity using that recent activity if and only if that information regarding recent activity is within normal behavior for that network.
2. A method as inclaim 1, including steps of
determining that said recent activity is within normal behavior for that network only when said recent activity is within a selected range of difference from that long-term activity.
3. A method as inclaim 1, including steps of
maintaining a first set of information about that short-term activity, without updating that first set of information for a selected period of time;
maintaining a second set of information about that short-term activity, while updating that second set of information promptly upon those steps of receiving information about recent activity;
wherein that first set of information about short-term activity and that second set of information about short-term activity differ by whether that information about recent activity is used; and
replacing that first set of information with that second set of information if and only if that information about recent activity indicates recent activity that is within normal behavior for that network.
4. A method as inclaim 3, wherein
that first set of information indicates a last-known-good set of information about emergent activity of that network, and that second set of information includes an in-construction set of information about emergent activity of that network; and
at a time for updating that long-term activity, using that last-known-good set of information if and only if that recent activity is not within normal behavior for that network, and using that in-construction set of information if and only if that in-construction set of information indicates that recent activity is within normal behavior for that network.
5. A method, including steps of
maintaining, at a network monitoring device, information regarding historical activity of a network;
maintaining information regarding emergent activity of that network;
comparing recent network activity to a predetermined parameter and the emergent activity, and determining the presence of changes in network activity in response to a result of said steps of comparing;
also comparing recent network activity to the historical activity, and also determining the presence of abnormal activity in response to said steps of also comparing;
if and only if said steps of also comparing recent network activity to the historical activity indicate lack of abnormal activity, adjusting that information regarding emergent activity of that network in response to the comparing; and
if and only if said steps of also comparing recent network activity to the historical activity indicate lack of abnormal activity, adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that network.
6. A method as inclaim 4, including steps of
waiting a selected period of time after using that last-known-good set of information before starting to start a next in-construction set of information.
7. A method as inclaim 5, wherein those steps of maintaining information regarding historical activity of that network are responsive to a relatively long-term review of network behavior.
8. A method as inclaim 5, including steps of
pausing those steps of adjusting that information regarding emergent activity of that network in response to a result of the steps of also comparing and also determining.
9. A method as inclaim 8, wherein those steps of also determining are responsive to whether that recent activity includes observable values too high or too low for consistency with historical activity of the network.
10. A method as inclaim 8, wherein those steps of also determining are responsive to whether that recent activity includes observable values too unlikely for consistency with historical activity of the network.
11. A method as inclaim 5,
wherein those steps of adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that network
include steps of adaptively modifying that information regarding historical activity of that network in response to that information regarding emergent activity of that network.
12. A method as inclaim 11, wherein the steps of adaptively modifying include an adaptive modification parameter Λ having a value between approximately 0.5 and 1.0.
13. A method, including steps of
maintaining, at a network monitoring device, information regarding relatively long-term historical activity of a network;
maintaining information regarding short-term activity of said network;
receiving a value indicative of recent network activity;
comparing said recent network activity to said short-term activity and a predetermined threshold value, determining the presence of changes in network activity in response to said steps of comparing recent activity with short-term activity;
comparing said recent network activity to said long-term activity, and determining the presence of abnormal activity in response to said steps of comparing recent activity with long-term activity;
maintaining a history of the values in response to the steps of comparing recent activity with long-term activity;
if and only if said steps of determining the presence of abnormal activity indicate lack of abnormal activity, adjusting that information regarding the long-term historical activity of a network in response to said short-term activity of that network; and
determining information regarding time-dependent activity of that network in response to that information regarding long-term historical activity of that network.
14. A method as inclaim 13, wherein those steps of determining the presence of changes in network activity include spectral analysis.
15. A method as inclaim 13, wherein those steps of determining the presence of changes in network activity include interpreting a result of a Fast Fourier Transform.
16. A method as inclaim 15, wherein those steps of interpreting include determining a magnitude for each frequency result of the Fast Fourier Transform and sorting the magnitudes in rank order.
17. A method as inclaim 16, wherein those steps of sorting include determining if there are other frequencies for which the magnitude of the frequency coefficient is substantial.
18. A method as inclaim 17, wherein those steps of determining if there are other frequencies include determining if there is periodicity to the magnitudes.
19. The method ofclaim 1 further including the steps of:
when said steps of determining the presence of abnormal activity indicate lack of abnormal activity,
replacing a portion of the long-term activity with the short-term activity, and
replacing the short-term activity with the recent network activity.
20. The method ofclaim 5 wherein the predetermined parameter is a threshold indicating deviation from an acceptable value.
21. The method ofclaim 13 wherein the threshold value is a threshold indicating allowable deviation from an acceptable value.
22. A method as inclaim 5, including steps of
when said steps of also comparing and also determining indicate abnormal activity, refraining from adjusting that information regarding emergent activity of that network in response to the comparing; and
when said steps of also comparing and also determining indicate abnormal activity, refraining from adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that network.
US12/180,2432007-08-032008-07-25Network monitoring of behavior probability densityActive2029-05-05US8639797B1 (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
US12/180,243US8639797B1 (en)2007-08-032008-07-25Network monitoring of behavior probability density

Applications Claiming Priority (4)

Application NumberPriority DateFiling DateTitle
US96322907P2007-08-032007-08-03
US96323307P2007-08-032007-08-03
US96322607P2007-08-032007-08-03
US12/180,243US8639797B1 (en)2007-08-032008-07-25Network monitoring of behavior probability density

Publications (1)

Publication NumberPublication Date
US8639797B1true US8639797B1 (en)2014-01-28

Family

ID=49958071

Family Applications (1)

Application NumberTitlePriority DateFiling Date
US12/180,243Active2029-05-05US8639797B1 (en)2007-08-032008-07-25Network monitoring of behavior probability density

Country Status (1)

CountryLink
US (1)US8639797B1 (en)

Cited By (55)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20120144336A1 (en)*2010-12-032012-06-07In Touch Technologies, Inc.Systems and methods for dynamic bandwidth allocation
US20140229414A1 (en)*2013-02-082014-08-14Ebay Inc.Systems and methods for detecting anomalies
US20140372602A1 (en)*2011-12-132014-12-18China Unionpay Co., Ltd.Automatic health-check method and device for on-line system
US9089972B2 (en)2010-03-042015-07-28Intouch Technologies, Inc.Remote presence system including a cart that supports a robot face and an overhead camera
US9098611B2 (en)2012-11-262015-08-04Intouch Technologies, Inc.Enhanced video interaction for a user interface of a telepresence network
US9138891B2 (en)2008-11-252015-09-22Intouch Technologies, Inc.Server connectivity control for tele-presence robot
US9160783B2 (en)2007-05-092015-10-13Intouch Technologies, Inc.Robot system that operates through a network firewall
US20150304346A1 (en)*2011-08-192015-10-22Korea University Research And Business FoundationApparatus and method for detecting anomaly of network
US9174342B2 (en)2012-05-222015-11-03Intouch Technologies, Inc.Social behavior rules for a medical telepresence robot
US9193065B2 (en)2008-07-102015-11-24Intouch Technologies, Inc.Docking system for a tele-presence robot
US9198728B2 (en)2005-09-302015-12-01Intouch Technologies, Inc.Multi-camera mobile teleconferencing platform
US9224181B2 (en)2012-04-112015-12-29Intouch Technologies, Inc.Systems and methods for visualizing patient and telepresence device statistics in a healthcare network
CN105208040A (en)*2015-10-122015-12-30北京神州绿盟信息安全科技股份有限公司Network attack detection method and device
US9251313B2 (en)2012-04-112016-02-02Intouch Technologies, Inc.Systems and methods for visualizing and managing telepresence devices in healthcare networks
US9296107B2 (en)2003-12-092016-03-29Intouch Technologies, Inc.Protocol for a remotely controlled videoconferencing robot
US9323250B2 (en)2011-01-282016-04-26Intouch Technologies, Inc.Time-dependent navigation of telepresence robots
US9361021B2 (en)2012-05-222016-06-07Irobot CorporationGraphical user interfaces including touchpad driving interfaces for telemedicine devices
US20160173509A1 (en)*2014-12-152016-06-16Sophos LimitedThreat detection using endpoint variance
US9381654B2 (en)2008-11-252016-07-05Intouch Technologies, Inc.Server connectivity control for tele-presence robot
US9419989B2 (en)2014-12-152016-08-16Sophos LimitedThreat detection using URL cache hits
US9429934B2 (en)2008-09-182016-08-30Intouch Technologies, Inc.Mobile videoconferencing robot system with network adaptive driving
US9469030B2 (en)2011-01-282016-10-18Intouch TechnologiesInterfacing with a mobile telepresence robot
US9602765B2 (en)2009-08-262017-03-21Intouch Technologies, Inc.Portable remote presence robot
US20170093907A1 (en)*2015-09-282017-03-30Verizon Patent And Licensing Inc.Network state information correlation to detect anomalous conditions
US9616576B2 (en)2008-04-172017-04-11Intouch Technologies, Inc.Mobile tele-presence system with a microphone system
US20170206354A1 (en)*2016-01-192017-07-20International Business Machines CorporationDetecting anomalous events through runtime verification of software execution using a behavioral model
US9715337B2 (en)2011-11-082017-07-25Intouch Technologies, Inc.Tele-presence system with a user interface that displays different communication links
US9766624B2 (en)2004-07-132017-09-19Intouch Technologies, Inc.Mobile robot with a head-based movement mapping scheme
US9774613B2 (en)2014-12-152017-09-26Sophos LimitedServer drift monitoring
US9842192B2 (en)2008-07-112017-12-12Intouch Technologies, Inc.Tele-presence robot system with multi-cast features
US9849593B2 (en)2002-07-252017-12-26Intouch Technologies, Inc.Medical tele-robotic system with a master remote station with an arbitrator
US9935858B1 (en)2015-08-242018-04-03Xangati, IncEnhanched flow processing
US9974612B2 (en)2011-05-192018-05-22Intouch Technologies, Inc.Enhanced diagnostics for a telepresence robot
US9983571B2 (en)2009-04-172018-05-29Intouch Technologies, Inc.Tele-presence robot system with software modularity, projector and laser pointer
WO2018140556A1 (en)*2017-01-252018-08-02Centurylink Intellectual Property LlcMachine discovery of aberrant operating states
US10073950B2 (en)2008-10-212018-09-11Intouch Technologies, Inc.Telepresence robot with a camera boom
US20180343172A1 (en)*2014-09-112018-11-29Infoblox Inc.Exponential moving maximum (emm) filter for predictive analytics in network reporting
US10204214B2 (en)2016-09-142019-02-12Microsoft Technology Licensing, LlcPeriodicity detection of network traffic
US10346756B2 (en)2017-01-252019-07-09Centurylink Intellectual Property LlcMachine discovery and rapid agglomeration of similar states
US10343283B2 (en)2010-05-242019-07-09Intouch Technologies, Inc.Telepresence robot system that can be accessed by a cellular phone
US10471588B2 (en)2008-04-142019-11-12Intouch Technologies, Inc.Robotic based health care system
US10769739B2 (en)2011-04-252020-09-08Intouch Technologies, Inc.Systems and methods for management of information among medical providers and facilities
US10808882B2 (en)2010-05-262020-10-20Intouch Technologies, Inc.Tele-robotic system with a robot face placed on a chair
US10875182B2 (en)2008-03-202020-12-29Teladoc Health, Inc.Remote presence system mounted to operating room hardware
US11154981B2 (en)2010-02-042021-10-26Teladoc Health, Inc.Robot user interface for telepresence robot system
US11190419B1 (en)*2017-05-242021-11-30Amazon Technologies, Inc.Tunable-granularity multi-level histograms for efficient computer system metric analysis
US11389064B2 (en)2018-04-272022-07-19Teladoc Health, Inc.Telehealth cart that supports a removable tablet with seamless audio/video switching
US11398307B2 (en)2006-06-152022-07-26Teladoc Health, Inc.Remote controlled robot system that provides medical images
US11399153B2 (en)2009-08-262022-07-26Teladoc Health, Inc.Portable telepresence apparatus
US11636944B2 (en)2017-08-252023-04-25Teladoc Health, Inc.Connectivity infrastructure for a telehealth platform
US11742094B2 (en)2017-07-252023-08-29Teladoc Health, Inc.Modular telehealth cart with thermal imaging and touch screen user interface
US11850757B2 (en)2009-01-292023-12-26Teladoc Health, Inc.Documentation through a remote presence robot
US11862302B2 (en)2017-04-242024-01-02Teladoc Health, Inc.Automated transcription and documentation of tele-health encounters
US12093036B2 (en)2011-01-212024-09-17Teladoc Health, Inc.Telerobotic system with a dual application screen presentation
US12224059B2 (en)2011-02-162025-02-11Teladoc Health, Inc.Systems and methods for network-based counseling

Citations (71)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5128871A (en)1990-03-071992-07-07Advanced Micro Devices, Inc.Apparatus and method for allocation of resoures in programmable logic devices
US5233604A (en)1992-04-281993-08-03International Business Machines CorporationMethods and apparatus for optimum path selection in packet transmission networks
US5271038A (en)*1990-09-101993-12-14Hughes Aircraft CompanyDistortion suppression using thresholding techniques
US5430709A (en)1992-06-171995-07-04Hewlett-Packard CompanyNetwork monitoring method and apparatus
US5442750A (en)1991-10-041995-08-15Wellfleet CommunicationsSystem for transmitting data between systems using selected subsets of plural interconnecting bus lines and including selection of a compatible transmission speed
US5917870A (en)1994-11-301999-06-29Alcatel N.V.Synchronization monitoring in a network element
US5958053A (en)1997-01-301999-09-28At&T Corp.Communications protocol with improved security
US5970064A (en)1997-06-121999-10-19Northern Telecom LimitedReal time control architecture for admission control in communications network
US5991881A (en)1996-11-081999-11-23Harris CorporationNetwork surveillance system
US6046979A (en)1998-05-042000-04-04Cabletron Systems, Inc.Method and apparatus for controlling the flow of variable-length packets through a multiport switch
US6076115A (en)1997-02-112000-06-13Xaqti CorporationMedia access control receiver and network management system
US6115745A (en)1997-11-252000-09-05International Business Machines CorporationScheduling of distributed agents in a dialup network
US6167025A (en)1996-09-112000-12-26Telcordia Technologies, Inc.Methods and apparatus for restoring connections in an ATM network
US6189035B1 (en)1998-05-082001-02-13MotorolaMethod for protecting a network from data packet overload
US6202084B1 (en)1997-10-312001-03-13Intel CorporationSystem and apparatus to provide a backchannel for a receiver terminal in a conference
US6314093B1 (en)1997-12-242001-11-06Nortel Networks LimitedTraffic route finder in communications network
US6314464B1 (en)1996-04-032001-11-06Sony CorporationCommunication control method
US6321338B1 (en)*1998-11-092001-11-20Sri InternationalNetwork surveillance
US20010049711A1 (en)2000-05-312001-12-06Motoo NishiharaPipeline processing type shaping apparatus and its method
US20010052087A1 (en)*1998-04-272001-12-13Atul R. GargMethod and apparatus for monitoring a network environment
US6347339B1 (en)1998-12-012002-02-12Cisco Technology, Inc.Detecting an active network node using a login attempt
US20020052967A1 (en)1999-05-042002-05-02Goldhor Richard S.Method and apparatus for providing continuous playback or distribution of audio and audio-visual streamed multimedia received over networks having non-deterministic delays
US6502135B1 (en)1998-10-302002-12-31Science Applications International CorporationAgile network protocol for secure communications with assured system availability
US6529866B1 (en)*1999-11-242003-03-04The United States Of America As Represented By The Secretary Of The NavySpeech recognition system and associated methods
US20030229692A1 (en)2001-11-022003-12-11Kiem-Phong VoSystem and method for monitoring data traffic on a network
US20030229485A1 (en)2002-06-072003-12-11Semiconductor Technology Academic Research CenterEmulation system for data-driven processor
US20040054925A1 (en)2002-09-132004-03-18Cyber Operations, LlcSystem and method for detecting and countering a network attack
US20040064293A1 (en)*2002-09-302004-04-01Hamilton David B.Method and system for storing and reporting network performance metrics using histograms
US6725377B1 (en)1999-03-122004-04-20Networks Associates Technology, Inc.Method and system for updating anti-intrusion software
US6757742B1 (en)2000-05-252004-06-29Advanced Micro Devices, Inc.Computer-based system for validating hash-based table lookup schemes in a network switch
US6785237B1 (en)2000-03-312004-08-31Networks Associates Technology, Inc.Method and system for passive quality of service monitoring of a network
US6789190B1 (en)2000-11-162004-09-07Computing Services Support Solutions, Inc.Packet flooding defense system
US6816910B1 (en)2000-02-172004-11-09Netzentry, Inc.Method and apparatus for limiting network connection resources
US20050044406A1 (en)*2002-03-292005-02-24Michael StuteAdaptive behavioral intrusion detection systems and methods
US6930978B2 (en)2000-05-172005-08-16Deep Nines, Inc.System and method for traffic management control in a data transmission network
US20050190695A1 (en)1999-11-122005-09-01Inmon CorporationIntelligent collaboration across network systems
US20050213504A1 (en)2004-03-252005-09-29Hiroshi EnomotoInformation relay apparatus and method for collecting flow statistic information
US6973040B1 (en)2000-03-132005-12-06Netzentry, Inc.Method of maintaining lists of network characteristics
US20050276230A1 (en)2004-06-152005-12-15Hitachi, Ltd.Communication statistic information collection apparatus
US20050278779A1 (en)2004-05-252005-12-15Lucent Technologies Inc.System and method for identifying the source of a denial-of-service attack
US6990591B1 (en)1999-11-182006-01-24Secureworks, Inc.Method and system for remotely configuring and monitoring a communication device
US7007301B2 (en)2000-06-122006-02-28Hewlett-Packard Development Company, L.P.Computer architecture for an intrusion detection system
US7013482B1 (en)2000-07-072006-03-14802 Systems LlcMethods for packet filtering including packet invalidation if packet validity determination not timely made
US20060059282A1 (en)2004-08-302006-03-16International Business Machines CorporationSnapshot interface operations
US20060077905A1 (en)2000-06-302006-04-13Corvil LimitedMeasure and recording of traffic parameters in data transmission networks
US7051369B1 (en)1999-08-182006-05-23Yoshimi BabaSystem for monitoring network for cracker attack
US20060109793A1 (en)2004-11-252006-05-25Kim Hwan KNetwork simulation apparatus and method for analyzing abnormal network
US7062782B1 (en)1999-12-222006-06-13Uunet Technologies, Inc.Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US7076547B1 (en)2001-06-212006-07-11Amdocs (Israel) Ltd.System and method for network performance and server application performance monitoring and for deriving exhaustive performance metrics
US7089428B2 (en)2000-04-282006-08-08Internet Security Systems, Inc.Method and system for managing computer security information
US20060195896A1 (en)2004-12-222006-08-31Wake Forest UniversityMethod, systems, and computer program products for implementing function-parallel network firewall
US20060242694A1 (en)*2004-11-082006-10-26Jeffrey GoldMitigation and mitigation management of attacks in networked systems
US20060272018A1 (en)2005-05-272006-11-30Mci, Inc.Method and apparatus for detecting denial of service attacks
US20070025528A1 (en)*2005-07-072007-02-01Sbc Knowledge Ventures, L.P.System and method for automated performance monitoring for a call servicing system
US20070156919A1 (en)2005-06-212007-07-05Sunil PottiEnforcing network service level agreements in a network element
US7260840B2 (en)2003-06-062007-08-21Microsoft CorporationMulti-layer based method for implementing network firewalls
US20070195787A1 (en)2005-10-192007-08-23Alnuweiri Hussein MMethods and apparatus for per-session uplink/downlink flow scheduling in multiple access networks
US20070211697A1 (en)2006-03-132007-09-13Finisar CorporationMethod of analyzing network with generated traffic
US7331060B1 (en)2001-09-102008-02-12Xangati, Inc.Dynamic DoS flooding protection
US7386888B2 (en)2003-08-292008-06-10Trend Micro, Inc.Network isolation techniques suitable for virus protection
US7409714B2 (en)2001-06-132008-08-05Mcafee, Inc.Virtual intrusion detection system and method of using same
US20080291915A1 (en)2007-05-222008-11-27Marco FoschianoProcessing packet flows
US7461403B1 (en)2001-08-032008-12-02Mcafee, Inc.System and method for providing passive screening of transient messages in a distributed computing environment
US20090046664A1 (en)2006-03-172009-02-19Matsushita Electric Industrial Co., Ltd.Packet transfer control device and mobile node
US7506046B2 (en)*2001-07-312009-03-17Hewlett-Packard Development Company, L.P.Network usage analysis system and method for updating statistical models
US7519705B1 (en)*2003-07-102009-04-14Sprint Communications Company L.P.Method for computing aggregate traffic between adjacent points of presence in an internet protocol backbone network
US7607170B2 (en)*2004-12-222009-10-20Radware Ltd.Stateful attack protection
US7620986B1 (en)2004-06-142009-11-17Xangati, Inc.Defenses against software attacks in distributed computing environments
US7702563B2 (en)2001-06-112010-04-20Otc Online PartnersIntegrated electronic exchange of structured contracts with dynamic risk-based transaction permissioning
US20100135180A1 (en)2008-12-012010-06-03Fujitsu LimitedMethod of measuring packet loss rate, packet loss rate measuring device and storage medium
US20110040706A1 (en)2009-08-112011-02-17At&T Intellectual Property I, LpScalable traffic classifier and classifier training system

Patent Citations (72)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5128871A (en)1990-03-071992-07-07Advanced Micro Devices, Inc.Apparatus and method for allocation of resoures in programmable logic devices
US5271038A (en)*1990-09-101993-12-14Hughes Aircraft CompanyDistortion suppression using thresholding techniques
US5442750A (en)1991-10-041995-08-15Wellfleet CommunicationsSystem for transmitting data between systems using selected subsets of plural interconnecting bus lines and including selection of a compatible transmission speed
US5233604A (en)1992-04-281993-08-03International Business Machines CorporationMethods and apparatus for optimum path selection in packet transmission networks
US5430709A (en)1992-06-171995-07-04Hewlett-Packard CompanyNetwork monitoring method and apparatus
US5917870A (en)1994-11-301999-06-29Alcatel N.V.Synchronization monitoring in a network element
US6314464B1 (en)1996-04-032001-11-06Sony CorporationCommunication control method
US6167025A (en)1996-09-112000-12-26Telcordia Technologies, Inc.Methods and apparatus for restoring connections in an ATM network
US5991881A (en)1996-11-081999-11-23Harris CorporationNetwork surveillance system
US5958053A (en)1997-01-301999-09-28At&T Corp.Communications protocol with improved security
US6076115A (en)1997-02-112000-06-13Xaqti CorporationMedia access control receiver and network management system
US5970064A (en)1997-06-121999-10-19Northern Telecom LimitedReal time control architecture for admission control in communications network
US6202084B1 (en)1997-10-312001-03-13Intel CorporationSystem and apparatus to provide a backchannel for a receiver terminal in a conference
US6115745A (en)1997-11-252000-09-05International Business Machines CorporationScheduling of distributed agents in a dialup network
US6314093B1 (en)1997-12-242001-11-06Nortel Networks LimitedTraffic route finder in communications network
US20010052087A1 (en)*1998-04-272001-12-13Atul R. GargMethod and apparatus for monitoring a network environment
US6046979A (en)1998-05-042000-04-04Cabletron Systems, Inc.Method and apparatus for controlling the flow of variable-length packets through a multiport switch
US6189035B1 (en)1998-05-082001-02-13MotorolaMethod for protecting a network from data packet overload
US6502135B1 (en)1998-10-302002-12-31Science Applications International CorporationAgile network protocol for secure communications with assured system availability
US6321338B1 (en)*1998-11-092001-11-20Sri InternationalNetwork surveillance
US7594260B2 (en)*1998-11-092009-09-22Sri InternationalNetwork surveillance using long-term and short-term statistical profiles to determine suspicious network activity
US6347339B1 (en)1998-12-012002-02-12Cisco Technology, Inc.Detecting an active network node using a login attempt
US6725377B1 (en)1999-03-122004-04-20Networks Associates Technology, Inc.Method and system for updating anti-intrusion software
US20020052967A1 (en)1999-05-042002-05-02Goldhor Richard S.Method and apparatus for providing continuous playback or distribution of audio and audio-visual streamed multimedia received over networks having non-deterministic delays
US7051369B1 (en)1999-08-182006-05-23Yoshimi BabaSystem for monitoring network for cracker attack
US20050190695A1 (en)1999-11-122005-09-01Inmon CorporationIntelligent collaboration across network systems
US6990591B1 (en)1999-11-182006-01-24Secureworks, Inc.Method and system for remotely configuring and monitoring a communication device
US6529866B1 (en)*1999-11-242003-03-04The United States Of America As Represented By The Secretary Of The NavySpeech recognition system and associated methods
US7062782B1 (en)1999-12-222006-06-13Uunet Technologies, Inc.Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
US6816910B1 (en)2000-02-172004-11-09Netzentry, Inc.Method and apparatus for limiting network connection resources
US6973040B1 (en)2000-03-132005-12-06Netzentry, Inc.Method of maintaining lists of network characteristics
US6785237B1 (en)2000-03-312004-08-31Networks Associates Technology, Inc.Method and system for passive quality of service monitoring of a network
US7089428B2 (en)2000-04-282006-08-08Internet Security Systems, Inc.Method and system for managing computer security information
US6930978B2 (en)2000-05-172005-08-16Deep Nines, Inc.System and method for traffic management control in a data transmission network
US6757742B1 (en)2000-05-252004-06-29Advanced Micro Devices, Inc.Computer-based system for validating hash-based table lookup schemes in a network switch
US20010049711A1 (en)2000-05-312001-12-06Motoo NishiharaPipeline processing type shaping apparatus and its method
US7007301B2 (en)2000-06-122006-02-28Hewlett-Packard Development Company, L.P.Computer architecture for an intrusion detection system
US20060077905A1 (en)2000-06-302006-04-13Corvil LimitedMeasure and recording of traffic parameters in data transmission networks
US7013482B1 (en)2000-07-072006-03-14802 Systems LlcMethods for packet filtering including packet invalidation if packet validity determination not timely made
US6789190B1 (en)2000-11-162004-09-07Computing Services Support Solutions, Inc.Packet flooding defense system
US7702563B2 (en)2001-06-112010-04-20Otc Online PartnersIntegrated electronic exchange of structured contracts with dynamic risk-based transaction permissioning
US7409714B2 (en)2001-06-132008-08-05Mcafee, Inc.Virtual intrusion detection system and method of using same
US7076547B1 (en)2001-06-212006-07-11Amdocs (Israel) Ltd.System and method for network performance and server application performance monitoring and for deriving exhaustive performance metrics
US7506046B2 (en)*2001-07-312009-03-17Hewlett-Packard Development Company, L.P.Network usage analysis system and method for updating statistical models
US7461403B1 (en)2001-08-032008-12-02Mcafee, Inc.System and method for providing passive screening of transient messages in a distributed computing environment
US7331060B1 (en)2001-09-102008-02-12Xangati, Inc.Dynamic DoS flooding protection
US20030229692A1 (en)2001-11-022003-12-11Kiem-Phong VoSystem and method for monitoring data traffic on a network
US20050044406A1 (en)*2002-03-292005-02-24Michael StuteAdaptive behavioral intrusion detection systems and methods
US20030229485A1 (en)2002-06-072003-12-11Semiconductor Technology Academic Research CenterEmulation system for data-driven processor
US20040054925A1 (en)2002-09-132004-03-18Cyber Operations, LlcSystem and method for detecting and countering a network attack
US20040064293A1 (en)*2002-09-302004-04-01Hamilton David B.Method and system for storing and reporting network performance metrics using histograms
US7260840B2 (en)2003-06-062007-08-21Microsoft CorporationMulti-layer based method for implementing network firewalls
US7519705B1 (en)*2003-07-102009-04-14Sprint Communications Company L.P.Method for computing aggregate traffic between adjacent points of presence in an internet protocol backbone network
US7386888B2 (en)2003-08-292008-06-10Trend Micro, Inc.Network isolation techniques suitable for virus protection
US20050213504A1 (en)2004-03-252005-09-29Hiroshi EnomotoInformation relay apparatus and method for collecting flow statistic information
US20050278779A1 (en)2004-05-252005-12-15Lucent Technologies Inc.System and method for identifying the source of a denial-of-service attack
US7620986B1 (en)2004-06-142009-11-17Xangati, Inc.Defenses against software attacks in distributed computing environments
US20050276230A1 (en)2004-06-152005-12-15Hitachi, Ltd.Communication statistic information collection apparatus
US20060059282A1 (en)2004-08-302006-03-16International Business Machines CorporationSnapshot interface operations
US20060242694A1 (en)*2004-11-082006-10-26Jeffrey GoldMitigation and mitigation management of attacks in networked systems
US20060109793A1 (en)2004-11-252006-05-25Kim Hwan KNetwork simulation apparatus and method for analyzing abnormal network
US7607170B2 (en)*2004-12-222009-10-20Radware Ltd.Stateful attack protection
US20060195896A1 (en)2004-12-222006-08-31Wake Forest UniversityMethod, systems, and computer program products for implementing function-parallel network firewall
US20060272018A1 (en)2005-05-272006-11-30Mci, Inc.Method and apparatus for detecting denial of service attacks
US20070156919A1 (en)2005-06-212007-07-05Sunil PottiEnforcing network service level agreements in a network element
US20070025528A1 (en)*2005-07-072007-02-01Sbc Knowledge Ventures, L.P.System and method for automated performance monitoring for a call servicing system
US20070195787A1 (en)2005-10-192007-08-23Alnuweiri Hussein MMethods and apparatus for per-session uplink/downlink flow scheduling in multiple access networks
US20070211697A1 (en)2006-03-132007-09-13Finisar CorporationMethod of analyzing network with generated traffic
US20090046664A1 (en)2006-03-172009-02-19Matsushita Electric Industrial Co., Ltd.Packet transfer control device and mobile node
US20080291915A1 (en)2007-05-222008-11-27Marco FoschianoProcessing packet flows
US20100135180A1 (en)2008-12-012010-06-03Fujitsu LimitedMethod of measuring packet loss rate, packet loss rate measuring device and storage medium
US20110040706A1 (en)2009-08-112011-02-17At&T Intellectual Property I, LpScalable traffic classifier and classifier training system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Deering et al. "RFC1883," Internet Protocol Specification, Dec. 1995, pp. 1-27, ver. 6, .
Deering et al. "RFC1883," Internet Protocol Specification, Dec. 1995, pp. 1-27, ver. 6, <http://www.faqs.org/rfcs/rfc1883.html>.
Steinke. "IP Addresses and Subnet Masks," Network Magazine, Oct. 1995, pp. 1-3, Tables 1 and 3, .
Steinke. "IP Addresses and Subnet Masks," Network Magazine, Oct. 1995, pp. 1-3, Tables 1 and 3, <http://www.networkmagazine.com/shared/printableArticle.jhtml?articleID=17601068>.

Cited By (108)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US10315312B2 (en)2002-07-252019-06-11Intouch Technologies, Inc.Medical tele-robotic system with a master remote station with an arbitrator
US9849593B2 (en)2002-07-252017-12-26Intouch Technologies, Inc.Medical tele-robotic system with a master remote station with an arbitrator
US9375843B2 (en)2003-12-092016-06-28Intouch Technologies, Inc.Protocol for a remotely controlled videoconferencing robot
US9296107B2 (en)2003-12-092016-03-29Intouch Technologies, Inc.Protocol for a remotely controlled videoconferencing robot
US9956690B2 (en)2003-12-092018-05-01Intouch Technologies, Inc.Protocol for a remotely controlled videoconferencing robot
US10882190B2 (en)2003-12-092021-01-05Teladoc Health, Inc.Protocol for a remotely controlled videoconferencing robot
US9766624B2 (en)2004-07-132017-09-19Intouch Technologies, Inc.Mobile robot with a head-based movement mapping scheme
US10241507B2 (en)2004-07-132019-03-26Intouch Technologies, Inc.Mobile robot with a head-based movement mapping scheme
US10259119B2 (en)2005-09-302019-04-16Intouch Technologies, Inc.Multi-camera mobile teleconferencing platform
US9198728B2 (en)2005-09-302015-12-01Intouch Technologies, Inc.Multi-camera mobile teleconferencing platform
US11398307B2 (en)2006-06-152022-07-26Teladoc Health, Inc.Remote controlled robot system that provides medical images
US9160783B2 (en)2007-05-092015-10-13Intouch Technologies, Inc.Robot system that operates through a network firewall
US10682763B2 (en)2007-05-092020-06-16Intouch Technologies, Inc.Robot system that operates through a network firewall
US11787060B2 (en)2008-03-202023-10-17Teladoc Health, Inc.Remote presence system mounted to operating room hardware
US10875182B2 (en)2008-03-202020-12-29Teladoc Health, Inc.Remote presence system mounted to operating room hardware
US11472021B2 (en)2008-04-142022-10-18Teladoc Health, Inc.Robotic based health care system
US10471588B2 (en)2008-04-142019-11-12Intouch Technologies, Inc.Robotic based health care system
US9616576B2 (en)2008-04-172017-04-11Intouch Technologies, Inc.Mobile tele-presence system with a microphone system
US9193065B2 (en)2008-07-102015-11-24Intouch Technologies, Inc.Docking system for a tele-presence robot
US10493631B2 (en)2008-07-102019-12-03Intouch Technologies, Inc.Docking system for a tele-presence robot
US9842192B2 (en)2008-07-112017-12-12Intouch Technologies, Inc.Tele-presence robot system with multi-cast features
US10878960B2 (en)2008-07-112020-12-29Teladoc Health, Inc.Tele-presence robot system with multi-cast features
US9429934B2 (en)2008-09-182016-08-30Intouch Technologies, Inc.Mobile videoconferencing robot system with network adaptive driving
US10073950B2 (en)2008-10-212018-09-11Intouch Technologies, Inc.Telepresence robot with a camera boom
US10875183B2 (en)2008-11-252020-12-29Teladoc Health, Inc.Server connectivity control for tele-presence robot
US9381654B2 (en)2008-11-252016-07-05Intouch Technologies, Inc.Server connectivity control for tele-presence robot
US9138891B2 (en)2008-11-252015-09-22Intouch Technologies, Inc.Server connectivity control for tele-presence robot
US10059000B2 (en)2008-11-252018-08-28Intouch Technologies, Inc.Server connectivity control for a tele-presence robot
US12138808B2 (en)2008-11-252024-11-12Teladoc Health, Inc.Server connectivity control for tele-presence robots
US11850757B2 (en)2009-01-292023-12-26Teladoc Health, Inc.Documentation through a remote presence robot
US10969766B2 (en)2009-04-172021-04-06Teladoc Health, Inc.Tele-presence robot system with software modularity, projector and laser pointer
US9983571B2 (en)2009-04-172018-05-29Intouch Technologies, Inc.Tele-presence robot system with software modularity, projector and laser pointer
US11399153B2 (en)2009-08-262022-07-26Teladoc Health, Inc.Portable telepresence apparatus
US10911715B2 (en)2009-08-262021-02-02Teladoc Health, Inc.Portable remote presence robot
US10404939B2 (en)2009-08-262019-09-03Intouch Technologies, Inc.Portable remote presence robot
US9602765B2 (en)2009-08-262017-03-21Intouch Technologies, Inc.Portable remote presence robot
US11154981B2 (en)2010-02-042021-10-26Teladoc Health, Inc.Robot user interface for telepresence robot system
US11798683B2 (en)2010-03-042023-10-24Teladoc Health, Inc.Remote presence system including a cart that supports a robot face and an overhead camera
US9089972B2 (en)2010-03-042015-07-28Intouch Technologies, Inc.Remote presence system including a cart that supports a robot face and an overhead camera
US10887545B2 (en)2010-03-042021-01-05Teladoc Health, Inc.Remote presence system including a cart that supports a robot face and an overhead camera
US11389962B2 (en)2010-05-242022-07-19Teladoc Health, Inc.Telepresence robot system that can be accessed by a cellular phone
US10343283B2 (en)2010-05-242019-07-09Intouch Technologies, Inc.Telepresence robot system that can be accessed by a cellular phone
US10808882B2 (en)2010-05-262020-10-20Intouch Technologies, Inc.Tele-robotic system with a robot face placed on a chair
US9264664B2 (en)*2010-12-032016-02-16Intouch Technologies, Inc.Systems and methods for dynamic bandwidth allocation
US10218748B2 (en)2010-12-032019-02-26Intouch Technologies, Inc.Systems and methods for dynamic bandwidth allocation
US20120144336A1 (en)*2010-12-032012-06-07In Touch Technologies, Inc.Systems and methods for dynamic bandwidth allocation
US12093036B2 (en)2011-01-212024-09-17Teladoc Health, Inc.Telerobotic system with a dual application screen presentation
US9785149B2 (en)2011-01-282017-10-10Intouch Technologies, Inc.Time-dependent navigation of telepresence robots
US9469030B2 (en)2011-01-282016-10-18Intouch TechnologiesInterfacing with a mobile telepresence robot
US9323250B2 (en)2011-01-282016-04-26Intouch Technologies, Inc.Time-dependent navigation of telepresence robots
US11289192B2 (en)2011-01-282022-03-29Intouch Technologies, Inc.Interfacing with a mobile telepresence robot
US11468983B2 (en)2011-01-282022-10-11Teladoc Health, Inc.Time-dependent navigation of telepresence robots
US10399223B2 (en)2011-01-282019-09-03Intouch Technologies, Inc.Interfacing with a mobile telepresence robot
US10591921B2 (en)2011-01-282020-03-17Intouch Technologies, Inc.Time-dependent navigation of telepresence robots
US12224059B2 (en)2011-02-162025-02-11Teladoc Health, Inc.Systems and methods for network-based counseling
US10769739B2 (en)2011-04-252020-09-08Intouch Technologies, Inc.Systems and methods for management of information among medical providers and facilities
US9974612B2 (en)2011-05-192018-05-22Intouch Technologies, Inc.Enhanced diagnostics for a telepresence robot
US20150304346A1 (en)*2011-08-192015-10-22Korea University Research And Business FoundationApparatus and method for detecting anomaly of network
US10331323B2 (en)2011-11-082019-06-25Intouch Technologies, Inc.Tele-presence system with a user interface that displays different communication links
US9715337B2 (en)2011-11-082017-07-25Intouch Technologies, Inc.Tele-presence system with a user interface that displays different communication links
US20140372602A1 (en)*2011-12-132014-12-18China Unionpay Co., Ltd.Automatic health-check method and device for on-line system
US9774514B2 (en)*2011-12-132017-09-26China Unionpay Co., Ltd.Automatic health-check method and device for on-line system
US9251313B2 (en)2012-04-112016-02-02Intouch Technologies, Inc.Systems and methods for visualizing and managing telepresence devices in healthcare networks
US10762170B2 (en)2012-04-112020-09-01Intouch Technologies, Inc.Systems and methods for visualizing patient and telepresence device statistics in a healthcare network
US9224181B2 (en)2012-04-112015-12-29Intouch Technologies, Inc.Systems and methods for visualizing patient and telepresence device statistics in a healthcare network
US11205510B2 (en)2012-04-112021-12-21Teladoc Health, Inc.Systems and methods for visualizing and managing telepresence devices in healthcare networks
US10892052B2 (en)2012-05-222021-01-12Intouch Technologies, Inc.Graphical user interfaces including touchpad driving interfaces for telemedicine devices
US11628571B2 (en)2012-05-222023-04-18Teladoc Health, Inc.Social behavior rules for a medical telepresence robot
US10603792B2 (en)2012-05-222020-03-31Intouch Technologies, Inc.Clinical workflows utilizing autonomous and semiautonomous telemedicine devices
US10658083B2 (en)2012-05-222020-05-19Intouch Technologies, Inc.Graphical user interfaces including touchpad driving interfaces for telemedicine devices
US9174342B2 (en)2012-05-222015-11-03Intouch Technologies, Inc.Social behavior rules for a medical telepresence robot
US9361021B2 (en)2012-05-222016-06-07Irobot CorporationGraphical user interfaces including touchpad driving interfaces for telemedicine devices
US10328576B2 (en)2012-05-222019-06-25Intouch Technologies, Inc.Social behavior rules for a medical telepresence robot
US10780582B2 (en)2012-05-222020-09-22Intouch Technologies, Inc.Social behavior rules for a medical telepresence robot
US11515049B2 (en)2012-05-222022-11-29Teladoc Health, Inc.Graphical user interfaces including touchpad driving interfaces for telemedicine devices
US11453126B2 (en)2012-05-222022-09-27Teladoc Health, Inc.Clinical workflows utilizing autonomous and semi-autonomous telemedicine devices
US9776327B2 (en)2012-05-222017-10-03Intouch Technologies, Inc.Social behavior rules for a medical telepresence robot
US10061896B2 (en)2012-05-222018-08-28Intouch Technologies, Inc.Graphical user interfaces including touchpad driving interfaces for telemedicine devices
US10334205B2 (en)2012-11-262019-06-25Intouch Technologies, Inc.Enhanced video interaction for a user interface of a telepresence network
US9098611B2 (en)2012-11-262015-08-04Intouch Technologies, Inc.Enhanced video interaction for a user interface of a telepresence network
US10924708B2 (en)2012-11-262021-02-16Teladoc Health, Inc.Enhanced video interaction for a user interface of a telepresence network
US11910128B2 (en)2012-11-262024-02-20Teladoc Health, Inc.Enhanced video interaction for a user interface of a telepresence network
US20140229414A1 (en)*2013-02-082014-08-14Ebay Inc.Systems and methods for detecting anomalies
US20180343172A1 (en)*2014-09-112018-11-29Infoblox Inc.Exponential moving maximum (emm) filter for predictive analytics in network reporting
US11153176B2 (en)*2014-09-112021-10-19Infoblox Inc.Exponential moving maximum (EMM) filter for predictive analytics in network reporting
US10038702B2 (en)2014-12-152018-07-31Sophos LimitedServer drift monitoring
US20160173509A1 (en)*2014-12-152016-06-16Sophos LimitedThreat detection using endpoint variance
US10447708B2 (en)2014-12-152019-10-15Sophos LimitedServer drift monitoring
US9774613B2 (en)2014-12-152017-09-26Sophos LimitedServer drift monitoring
US9740859B2 (en)2014-12-152017-08-22Sophos LimitedThreat detection using reputation data
US9419989B2 (en)2014-12-152016-08-16Sophos LimitedThreat detection using URL cache hits
US9571512B2 (en)*2014-12-152017-02-14Sophos LimitedThreat detection using endpoint variance
US9935858B1 (en)2015-08-242018-04-03Xangati, IncEnhanched flow processing
US20170093907A1 (en)*2015-09-282017-03-30Verizon Patent And Licensing Inc.Network state information correlation to detect anomalous conditions
US10021130B2 (en)*2015-09-282018-07-10Verizon Patent And Licensing Inc.Network state information correlation to detect anomalous conditions
CN105208040B (en)*2015-10-122019-03-26北京神州绿盟信息安全科技股份有限公司A kind of network attack detecting method and device
CN105208040A (en)*2015-10-122015-12-30北京神州绿盟信息安全科技股份有限公司Network attack detection method and device
US20170206354A1 (en)*2016-01-192017-07-20International Business Machines CorporationDetecting anomalous events through runtime verification of software execution using a behavioral model
US10152596B2 (en)*2016-01-192018-12-11International Business Machines CorporationDetecting anomalous events through runtime verification of software execution using a behavioral model
US10204214B2 (en)2016-09-142019-02-12Microsoft Technology Licensing, LlcPeriodicity detection of network traffic
WO2018140556A1 (en)*2017-01-252018-08-02Centurylink Intellectual Property LlcMachine discovery of aberrant operating states
US10438124B2 (en)2017-01-252019-10-08Centurylink Intellectual Property LlcMachine discovery of aberrant operating states
US10346756B2 (en)2017-01-252019-07-09Centurylink Intellectual Property LlcMachine discovery and rapid agglomeration of similar states
US11862302B2 (en)2017-04-242024-01-02Teladoc Health, Inc.Automated transcription and documentation of tele-health encounters
US11190419B1 (en)*2017-05-242021-11-30Amazon Technologies, Inc.Tunable-granularity multi-level histograms for efficient computer system metric analysis
US11742094B2 (en)2017-07-252023-08-29Teladoc Health, Inc.Modular telehealth cart with thermal imaging and touch screen user interface
US11636944B2 (en)2017-08-252023-04-25Teladoc Health, Inc.Connectivity infrastructure for a telehealth platform
US11389064B2 (en)2018-04-272022-07-19Teladoc Health, Inc.Telehealth cart that supports a removable tablet with seamless audio/video switching

Similar Documents

PublicationPublication DateTitle
US8639797B1 (en)Network monitoring of behavior probability density
US8645527B1 (en)Network monitoring using bounded memory data structures
US7050931B2 (en)Computing performance thresholds based on variations in network traffic patterns
Teixeira et al.Traffic matrix reloaded: Impact of routing changes
Simmross-Wattenberg et al.Anomaly detection in network traffic based on statistical inference and\alpha-stable modeling
US20200134441A1 (en)Multi-domain service assurance using real-time adaptive thresholds
US20020170002A1 (en)Method and system for reducing false alarms in network fault management systems
CN114630352B (en) Fault monitoring method and device for access equipment
WO2010044782A1 (en)Managing event traffic in a network system
Patcha et al.Network anomaly detection with incomplete audit data
KR20050030539A (en)Real-time sla impact analysis
Drobisz et al.Adaptive sampling methods to determine network traffic statistics including the hurst parameter
Streilein et al.Cyber situational awareness through operational streaming analysis
CN119383056A (en) A network abnormality monitoring and processing system
US8838774B2 (en)Method, system, and computer program product for identifying common factors associated with network activity with reduced resource utilization
Dimitropoulos et al.The eternal sunshine of the sketch data structure
US10855708B1 (en)Symptom detection using behavior probability density, network monitoring of multiple observation value types, and network monitoring using orthogonal profiling dimensions
CN117254948A (en)Intranet host recognition method based on flow characteristics
Liu et al.End-to-end delay boundary prediction using maximum entropy principle (mep) for internet-based teleoperation
Xiao et al.Using outlier detection to reduce false positives in intrusion detection
Ndong et al.A robust anomaly detection technique using combined statistical methods
CN120090947B (en) A network fault intelligent early warning system based on neural network prediction algorithm
CN120128573B (en) Data link layer resolution method under industrial field network address conflict environment
WO2007011947A1 (en)Optimal combination of sampled measurements
Casale et al.Identifying Network Failures and Evaluating Link MTBF from Utilization Logs

Legal Events

DateCodeTitleDescription
ASAssignment

Owner name:XANGATI, INC., CALIFORNIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SANDERS, DEREK;JAGANNATHAN, RANGASWAMY;LEE, ROSANNA;AND OTHERS;REEL/FRAME:021927/0464

Effective date:20081027

STCFInformation on status: patent grant

Free format text:PATENTED CASE

FEPPFee payment procedure

Free format text:PAT HOLDER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: LTOS); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

ASAssignment

Owner name:WESTERN ALLIANCE BANK, CALIFORNIA

Free format text:SECURITY INTEREST;ASSIGNOR:XANGATI, INC.;REEL/FRAME:039989/0821

Effective date:20161011

ASAssignment

Owner name:TRIPLEPOINT VENTURE GROWTH BDC CORP., CALIFORNIA

Free format text:SECURITY INTEREST;ASSIGNOR:XANGATI, INC.;REEL/FRAME:039995/0825

Effective date:20161011

FPAYFee payment

Year of fee payment:4

ASAssignment

Owner name:VIRTUAL INSTRUMENTS WORLDWIDE, INC, CALIFORNIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:XANGATI INC;REEL/FRAME:046151/0755

Effective date:20180612

ASAssignment

Owner name:TRIPLEPOINT VENTURE GROWTH BDC CORP., CALIFORNIA

Free format text:SECURITY INTEREST;ASSIGNORS:VIRTUAL INSTRUMENTS CORPORATION;VIRTUAL INSTRUMENTS USA, INC.;XANGATI, INC.;AND OTHERS;REEL/FRAME:046941/0930

Effective date:20180906

ASAssignment

Owner name:WESTERN ALLIANCE BANK, CALIFORNIA

Free format text:SECURITY INTEREST;ASSIGNOR:VIRTUAL INSTRUMENTS WORLDWIDE, INC.;REEL/FRAME:047127/0767

Effective date:20181010

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment:8

ASAssignment

Owner name:MIDTOWN MADISON MANAGEMENT LLC, NEW YORK

Free format text:SECURITY INTEREST;ASSIGNORS:VIRTUAL INSTRUMENTS CORPORATION;VIRTUAL INSTRUMENTS WORLDWIDE, INC.;XANGATI, INC.;REEL/FRAME:058668/0268

Effective date:20220107

Owner name:XANGATI, INC., CALIFORNIA

Free format text:RELEASE BY SECURED PARTY;ASSIGNOR:WESTERN ALLIANCE BANK;REEL/FRAME:058612/0658

Effective date:20220107

Owner name:VIRTUAL INSTRUMENTS WORLDWIDE, INC., CALIFORNIA

Free format text:RELEASE BY SECURED PARTY;ASSIGNOR:WESTERN ALLIANCE BANK;REEL/FRAME:058612/0102

Effective date:20220107

ASAssignment

Owner name:XANGATI, INC., CALIFORNIA

Free format text:RELEASE BY SECURED PARTY;ASSIGNOR:TRIPLEPOINT VENTURE GROWTH BDC CORP., AS THE SECURED PARTY;REEL/FRAME:058652/0685

Effective date:20220107

Owner name:VIRTUAL INSTRUMENTS WORLDWIDE, INC. F/K/A LOAD DYNAMIX, INC., CALIFORNIA

Free format text:RELEASE BY SECURED PARTY;ASSIGNOR:TRIPLEPOINT VENTURE GROWTH BDC CORP., AS THE SECURED PARTY;REEL/FRAME:058652/0332

Effective date:20220107

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 12TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2553); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment:12
[8]ページ先頭
©2009-2025 Movatter.jp